The Storm Worm, which made headlines a few weeks ago, was one of the first worms that came out with a known capability for infecting Windows Vista. Given the ever increasing threat of worms of this nature and the more rapidly adaptable tools malicious people are using, it's no wonder that many companies are turning to third party solutions to help them keep their own offices safe.
Recently, I had the pleasure of speaking with Joel Smith, the co-founder and Chief Technology Officer of AppRiver. AppRiver is a spam filtering and virus filtering company that does pre-filtering on mail, taking the load off onsite hosted servers. We talked about the nature of mail-propagating worms these days, as well as what role third parties are playing in putting a stop to them. If you've ever wondered exactly why large companies are finding themselves needing extra help or about how the nature of Internet worms is changing, you'll find the interview interesting. One particular tidbit that stood out for me was the future of “Storm”:
”... we actually think that this deployment was a test run. It was so quick that we think they were just testing the grounds, and in the next week or two they may plan a much more sophisticated campaign.”
Could it be on its way back? We also went a bit into what role his company plays in fighting spam and worms. Read the full interview here.
TechSpot: Tell me first about the evolution of spambots. We're seeing servers inundated with mail, even relatively new servers. Are there concerns over the ability to fight spam in the future, with the way it evolves?
Joel Smith: They have definitely changed. We definitely see an increasing amount of servers spamming and the amount of mutating occurring.. We notice some of these things just based on the sheer volume of mail with new servers, but we also see that the spambots are tending to use larger blocks of IPs, and use them only for a short duration. Then they'll switch to a new set, so we have a constant change of where the blast is coming from. The cat and mouse game is always going on. As we get better at it, they go back to their drawing board. We update, they buy our product and learn how to get around it. We're always in sort of a latency mode as well. We can't filter it without seeing it, so our job is to have our systems alert and ready to give us a head up. We have to be on the bleeding edge of the campaign to succeed.
TechSpot: Tell me more about the Storm Worm.
Joel Smith: With this one, you probably saw how fast and quickly it took hold. This one definitely supplanted Netsky, which has been on the chart for over two years. Inside of three hours, it was number one. We were really surprised, because of how easy it was to block, and how simple its attachments were. There were only a handful of variations on its name, despite the 300 or more variations of the worm itself. What we're expecting, what we see a possibility for, is for it to come back with much more random names and being much more dynamic. We actually think that this deployment was a test run. It was so quick that we think they were just testing the grounds, and in the next week or two they may plan a much more sophisticated campaign.
TechSpot: Tell me a little bit about how AppRiver's servers look for these types of threats, and puts a stop to them. Do you have someone watching 24 hours a day?
Joel Smith: We do have a 24 hour a day set of techs. 24/7, 365 days a year. The whole system is proprietary, but it is similar to regex matching. We've designed it ourselves, specifically around spam. It doesn't do statistical analysis, but rather absolute analysis with our rules. We write them all ourselves, for specific sets of code. That's why rather than guessing, we are specifically targeting the threats we see.
TechSpot: Tell me a bit about your competition, places like Postini. What are your advantages over them, would you say?
Joel Smith: Well, we are focused much more on the smaller business. We offer more granular controls for business oriented spam filtering. Postini has gotten so big by serving the ISP market that they have a lot of users. Doing that, they tend to have less granular controls, and you'd more expect to find a slide rule. Whereas with us, we offer more dynamic controls. However, all service providers in the anti-spam market are good. It is all about model. Generally speaking, we all will have a really good capture rate. Sometimes people come to us and say 'Why should we go to you instead of Postini?'. We may say, 'You shouldn't.'
TechSpot: With an increasing amount of phone spam and the obvious indication that the more people that use a technology, the more likely it is to be abused, what can you say about things like SMS filtering and web filtering?
Joel Smith: The SMS filtering is something we're already looking into. We've working with a couple of a different phone companies. SMS filtering is fairly easy, to the fact that it is text based, so patterns are pretty easy to pick up on. If they ever had a scenario when they pushed something other than SMS, like forcing ActiveSync to do something, it would require change. SMS may adapt. The Web filtering is definitely a new vector of attack. If you had kids in the house, guests, etc, going to various places like MySpace or any other sites, the idea that most people get is that the kids should have their own computer. You don't want to keep your finances on the same machine. An example is CitiBank, who recently suffered data loss because of that. Even though they are using things like keyfiles that can give you by minute or by hour login codes, a man in the middle program was able to circumvent that. It's a place for growth.
TechSpot: Thanks for your time.
Joel Smith: Thank you.